ML22249A062

From kanterella
Jump to navigation Jump to search
Official Presence Use of Social Media Platforms Privacy Impact Assessment (Pia)
ML22249A062
Person / Time
Issue date: 08/01/2022
From: Castelveter D
Office of Public Affairs
To:
Castelveter D
References
Download: ML22249A062 (26)
v  d  e


Text

U.S. Nuclear Regulatory Commission

Privacy Impact Assessment

Designed to collect the information necessary to make relevant determinations regarding the applicability of the Privacy Act, the Paperwork Reduction Act information collection requirements, and records management requirements.

Please do not enter the PIA document into ADAMS. An ADAMS accession number will be assigned through the e-Concurrence system which will be handled by the Privacy Team.

Official Presence Use of Social Media Platforms

Date: August 1, 2022.

A. GENERAL SYSTEM INFORMATION

1. Provide a detailed description of the system: (Use plain language, no technical terms.)

The Nuclear Regulatory Commission's (NRCs) Official Presence Social Media initiative is designed to increase the NRC's use of third-party social media services in an incremental fashion, enabling the NRC to conduct its Open Government activities in new and innovative ways, while complying with applicable laws, policies and regulations. As an effort under the NRC's Open Government Flagship initiative1, the implementation of an agency-wide official presence using third-party social media services/sites supports new ways to increase transparency, collaboration, participation with the public, and other key stakeholders. These social media activities are consistent with the NRC's current policies and procedures for the deployment of the tools and services envisioned under this effort. See Appendix A of this document for a list and description of the specific tools that are part of this initiative.

The use of social media platforms/tools represents a strategic communication mechanism to help the NRC expand outreach efforts to engage new audiences not currently accessing NRC information. These tools will be used to help individuals and organizations better understand the NRCs mission, roles, responsibilities, actions, and policies as well as provide them with more easily accessible information on specific topics of interest.

Social media interactions and applications include a sphere of non-government websites and web-based tools that focus on connecting users, inside and outside of NRC, to share information and media, and collaborate. Third parties control and operate these non-governmental websites; however, the NRC may use them as alternative channels to provide robust information and engage with the public.

The NRC may also use these websites to make information and services widely available, while promoting transparency and accountability, as a service for those seeking information about or services from the NRC. This privacy impact

1 NRCs Open Government Flagship Initiative, http://www.nrc.gov/public-involve/open/philosophy/nrc-open-gov-plan.pdf#page=35

PIA Template (07-2022) 1 assessment (PIA) analyzes the NRCs use of social media and how these interactions and applications could result in the NRC receiving personally identifiable information (PII). This PIA describes the information the NRC may have access to, how it will use the information, and what information is retained and shared. Appendix A of this PIA will serve as a listing, to be updated periodically, of NRC official presence social media interactions and applications that follow the requirements and analytical understanding outlined in this PIA.

2. What agency function does it support? (How will this support the U.S.

Nuclear Regulatory Commissions (NRCs) mission, which strategic goal?))

The requirements and associated recommendations for the use of social media services within this document are consistent with the NRCs Strategic Plan2, the Office of Management and Budget (OMB) Open Government Directive3, and the NRCs Open Government Plan4. The specific requirements for establishing an NRC official presence using third-party social media services/sites spans five primary functional areas:

Information Dissemination (public information/content),

Information Collection (in the form of comments [if applicable, see Appendix A], questions and ideas submitted by the public as part of a public dialogue),

Applying NRC Branding to social media Tools and Services, New Information Distribution Channels, Administrative Requirements.

Within each of these functional areas, the NRC also requires a number of service characteristics for each functional requirement. The primary required service characteristics include:

Increased speed of distribution of agency content, Enhanced access to agency content through multiple channels, Enhanced interaction with the public and other agency stakeholders, Increased scale and reach across all potential stakeholders.

The combination of the NRC's functional requirements and the required service characteristics represent the primary requirements for the use of third-party social media services to meet the NRC's needs.

2 Strategic Plan: Fiscal Years 2022-2026 (NUREG-1614, Volume 8) https://www.nrc.gov/docs/ML2206/ML22067A170.pdf 3 OMBs Memorandum M-10-06, Open Government Directive, available at https://obamawhitehouse.archives.gov/omb/assets/memoranda_2010/m10-06.pdf 4 NRCs Open Government Plan, available at https://www.nrc.gov/public-involve/open/philosophy.html#plan.

PIA Template (07-2022) 2

3. Describe any modules or subsystems, where relevant, and their functions.

Blogging tool, video channel, such as YouTube.com, micro-blogging tool, such as Twitter.com, photo gallery, such as Flickr.com and social networking tools, such as Facebook and Instagram. These modules are used to publish content or conduct close-ended discussions with the public, publish videos, snippets of content, and images related to the agency and its mission in order to increase transparency, collaboration and participation with the public and other key stakeholders.

a. Provide ADAMS ML numbers for all Privacy Impact Assessments or Privacy Threshold Analysis for each subsystem.

ML18031A847 and approved February 23, 2018.

4. What legal authority authorizes the purchase or development of this system? (What law, regulation, or Executive Order authorizes the collection and maintenance of the information necessary to meet an official program mission or goal? NRC internal policy is not a legal authority.)

Both the Presidents Transparency and Open Government Memorandum5 dated January 21, 2009, and the OMB Open Government Directive Memorandum dated December 8, 2009, direct Federal departments and agencies to harness new technologies to engage the public and serve as one of the primary authorities motivating the NRCs efforts to utilize social media websites and applications.

Authorities that impact the NRCs use of social media websites and applications include:

5 U.S.C. § 301; 5 U.S.C. § 552a, Privacy Act of 1974, as amended; 44 U.S.C. § 31, Federal Records Act; 44 U.S.C. § 3501, Paperwork Reduction Act of 1995; Section 208 of the E-Government Act of 2002; The Presidents Memorandum on Transparency and Open Government, January 21, 2009; The OMB Directors Open Government Directive Memorandum, December 8, 2009; OMB Memorandum M-10-23, Guidance for Agency Use of Third-Party Websites and Applications (June 25, 2010) 6; and OMB Memorandum for the Heads of Executive Departments and Agencies, and Independent Regulatory Agencies, social media, Web-Based Interactive Technologies, and the Paperwork Reduction Act, (April 7, 2010) 7.

5 President Barack Obama, Memorandum on Transparency and Open Government, available at https://obamawhitehouse.archives.gov/the-press-office/transparency-and-open-government.

6 OMB Memorandum M-10-23, Guidance for Agency Use of Third-Party Websites and Applications, available at https://obamawhitehouse.archives.gov/sites/default/files/omb/assets/memoranda_2010/m10-23.pdf 7 OMB Memorandum for the Heads of Executive Departments and Agencies, and Independent Regulatory Agencies, Social Media, Web-Based Interactive Technologies, and the Paperwork Reduction Act, available at

PIA Template (07-2022) 3

5. What is the purpose of the system and the data to be collected?

The third-party social media service/sites will provide the agency with the ability to communicate and educate the public about the NRC and mission activities and collaborate with the public and stakeholder groups. Please also refer to section C - USES OF SYSTEM AND INFORMATION.

6. Points of

Contact:

(Do not adjust or change table fields. Annotate N/A if unknown. If multiple individuals need to be added in a certain field, please add lines where necessary.)

Project Manager Office/Division/Branch Telephone

Stephanie West OPA 301-415-8200

Business Project Manager Office/Division/Branch Telephone

Holly Harrington OPA 415-8203

Technical Project Manager Office/Division/Branch Telephone

N/A N/A N/A

Executive Sponsor Office/Division/Branch Telephone

David Castelveter Director, OPA 301-415-8201

ISSO Office/Division/Branch Telephone

Consuella Debnam OCIO 301-287-0834

System Owner/User Office/Division/Branch Telephone

David Castelveter OPA 301-415-8201

https://obamawhitehouse.archives.gov/sites/default/files/omb/assets/inforeg/SocialMediaGuidance_04072 010.pdf

PIA Template (07-2022) 4

7. Does this privacy impact assessment (PIA) support a proposed new system or a proposed modification to an existing system?
a. New System

X Modify Existing System

Other

b. If modifying or making other updates to an existing system, has a PIA been prepared before?

Yes.

(1) If yes, provide the date approved and the Agencywide Documents Access and Management System (ADAMS) accession number.

Original PIA is maintained in ADAMS at ML103410478 and approved 12/14/2010. First update to original PIA maintained in ADAMS at ML11159A004 and approved 6/22/2011. Second update to original PIA maintained in ADAMS at ML11307A211 and approved 11/15/2011. Third update to original PIA maintained in ADAMS at ML13028A183 and approved 2/11/2013. Fourth update to PIA maintained in ADAMS at ML13316A942 and approved 11/27/2013. Fifth update to PIA maintained in ADAMS at ML18031A847 and approved February 23, 2018.

(2) If yes, provide a summary of modifications or other changes to the existing system.

The social media program is being modified to include Instagram as an added platform in the agencys Official Presence Use of Social Media Platforms system. Instagram has been added to the Appendix A listing of NRC official presence use of social media interactions and applications that follow the requirements and analytical understanding outlined in this PIA. The PIA has been reviewed to ensure information is accurate and current.

8. Do you have an NRC system Enterprise Architecture (EA)/Inventory number?

Yes.

a. If yes, please provide the EA/Inventory number.

Official Presence Social Media EA-20100012.

b. If, no, please contact EA Service Desk to get the EA/Inventory number.

N/A.

PIA Template (07-2022) 5 B. INFORMATION COLLECTED AND MAINTAINED

These questions are intended to define the scope of the information requested as well as the reasons for its collection. Section 1 should be completed only if information is being collected about individuals. Section 2 should be completed for information being collected that is not about individuals.

1. INFORMATION ABOUT INDIVIDUALS
a. Does this system maintain information about individuals?

Generally, social media websites and applications are privately owned by third parties. These social media websites and applications continue to grow in size and diversity. Because of the depth and diversity of this reach, the NRC is using a diverse set of third-party social media services to achieve mission and Open Government objects.

The need for a user to create a site user account depends on the particular third-party social media service/site. Some third-party services/sites will not require a site visitor to create an account or provide profile information. For example, WordPress (for blogging) does not require site visitors to provide information about themselves to review a post or submit a comment (this can be submitted anonymously).

Social media sites often provide the ability for members of the public to set up their own personal accounts and profiles on the third-party service/site. These sites have their own privacy policies which site users must agree to in order to create an account. Most sites allow site visitors to decide how much information they want to capture about themselves and also to establish rules for whether all or part of their information is made public and to whom (e.g., only to those they have accepted as friends or to anyone with access to the service/site).

Each third-party social media service/site provides its own privacy policy, and while users may be required to submit some personally identifiable information (PII) during the account registration/profile process, the NRC will not solicit or collect this PII. If PII is posted by the individual on the social media website or application or sent to the NRC in connection with the transaction of public business, it may be a federal record and if so, the NRC is required to maintain a copy per the appropriate records management policies.

See Appendix A for referenced privacy policies, information required for account creation, and other details for specifically referenced sites.

PIA Template (07-2022) 6 (1) If yes, identify the group(s) of individuals (e.g., Federal employees, Federal contractors, licensees, general public (provide description for general public (non-licensee workers, applicants before they are licenses etc.)).

If profile data is provided by individuals, then it may include information regarding:

a. General public visiting the web site to view and submit comments, ideas, etc. Members of the public may create their personal accounts with the third-party services and voluntarily share information from their profiles such as name and email address when submitting comments, ideas, etc.
b. NRC Federal employees account information who are assigned to moderate submitted postings. This information will contain their name, NRC email address, position title, and relevant NRC position-specific information.
c. NRC Federal employees and Federal contractors who are assigned to administrate the NRC page and account. This information would include NRC work related information necessary to create their user account information.

(2) IF NO, SKIP TO QUESTION B.2.

b. What information is being maintained in the system about an individual (be specific - e.g., Social Security Number (SSN), Place of Birth, Name, Address)?

See Appendix A for referenced privacy policies, information required for account creation, and other details for specifically referenced sites.

c. Is information being collected from the subject individual? (To the greatest extent possible, collect information about an individual directly from the individual.)

See Appendix A for referenced privacy policies, information required for account creation, and other details for specifically referenced sites.

(1) If yes, what information is being collected?

N/A.

d. Will the information be collected from individuals who are not Federal employees?

See Appendix A for referenced privacy policies, information required for account creation, and other details for specifically referenced sites.

PIA Template (07-2022) 7 (1) If yes, does the information collection have the Office of Management and Budgets (OMB) approval?

No.

(a) If yes, indicate the OMB approval number:

N/A.

e. Is the information being collected from existing NRC files, databases, or systems?

No.

(1) If yes, identify the files/databases/systems and the information being collected.

N/A.

f. Is the information being collected from external sources (any source outside of the NRC)?

No.

(1) If yes, identify the source and what type of information is being collected?

N/A.

g. How will information not collected directly from the subject individual be verified as current, accurate, and complete?

N/A.

h. How will the information be collected (e.g., form, data transfer)?

See Appendix A for referenced privacy policies, information required for account creation, and other details for specifically referenced sites.

2. INFORMATION NOT ABOUT INDIVIDUALS
a. Will information not about individuals be maintained in this system?

Yes.

(1) If yes, identify the type of information (be specific).

These services will be used to post and share public information content on topics of interest to educate, inform, and communicate with the public about NRC activities. Information content can include information already available on the public website. If permitted, members of the public can share comments (if applicable, see Appendix A), questions and ideas related to information posted by the NRC. Information posted on the social PIA Template (07-2022) 8 media website or application or sent to the NRC in connection with the transaction of public business may be a Federal record, and if so, the NRC is required to maintain a copy per the appropriate records management policies.

See Appendix A for referenced privacy policies, information required for account creation, and other details for specifically referenced sites.

b. What is the source of this information? Will it come from internal agency sources and/or external sources? Explain in detail.

NRC offices and staff create content for posting and choose topics for discussion. This can be content that exists on the public website or new content created to engage visitors and topics deemed suitable by the NRC.

Site visitors are members of the general public. Specific services (listed in Appendix A) give site visitors the option to submit comments (if applicable, see Appendix A), questions and ideas related to content that has been posted by the NRC. NRC moderators will review comments and ideas that are submitted by the public for posting or regularly monitor comments that do not require NRC approval before posting (Facebook/Instagram) and if necessary, remove those that do not meet comment policy standards. Moderators will also approve all content postings of publicly available information by NRC staff.

C. USES OF SYSTEM AND INFORMATION

These questions will identify the use of the information and the accuracy of the data being used.

1. Describe all uses made of the data in this system.

The information communicated and collected is considered public information and is used to inform and educate the public about the NRC and its mission activities, reach a wider public audience, and allow for a dialogue between the public, stakeholders, and the NRC. These third-party social media services/sites provide another channel for the NRC to communicate with the public about its regulatory mission. Specific social media services allow the public to contribute their opinions and ideas related to the agencys business activities. Public comments and information posted by members of the public will be shared with appropriate NRC offices where applicable. See Appendix A for referenced privacy policies, which services are to permit the posting of comments, information required for account creation, and other details for specifically referenced sites.

2. Is the use of the data both relevant and necessary for the purpose for which the system is designed?

Yes.

PIA Template (07-2022) 9

3. Who will ensure the proper use of the data in this system?

The NRCs Office of Public Affairs (OPA) will oversee and administer the third-party social media services/sites used to establish an NRC official presence.

OPA will work with the NRC program offices to publish relevant and accurate information, respond to public comments (if applicable, see Appendix A),

questions and ideas, and to ensure proper use of information exchanged through these third-party social media channels.

4. Are the data elements described in detail and documented?

Yes.

a. If yes, what is the name of the document that contains this information and where is it located?

See Appendix A for information related to specifically referenced sites.

5. Will the system derive new data or create previously unavailable data about an individual through aggregation from the information collected?

No.

Derived data is obtained from a source for one purpose and then the original information is used to deduce/infer a separate and distinct bit of information that is aggregated to form information that is usually different from the source information.

Aggregation of data is the taking of various data elements and then turning it into a composite of all the data to form another type of data (i.e. tables or data arrays).

a. If yes, how will aggregated data be maintained, filed, and utilized?

N/A.

b. How will aggregated data be validated for relevance and accuracy?

N/A.

c. If data are consolidated, what controls protect it from unauthorized access, use, or modification?

N/A.

6. How will data be retrieved from the system? Will data be retrieved by an individuals name or personal identifier (name, unique number or symbol)?

(Be specific.)

Depending on the specific third-party social media service/site, visitors to the site may be able to view all posted information and comments (if applicable, see Appendix A) submitted on the site (if applicable). This information will be publicly available. The NRCs OPA moderator(s) and Office of the Chief Information Officer (OCIO) administrator(s) can also view the information directly on the web PIA Template (07-2022) 10 site as well as retrieve the information via methods such as file exports, depending on the site capabilities.

If PII is collected on a social networking or social media site or sent to the NRC in connection with the transaction of public business, it will not be retrieved by personal identifier.

a. If yes, explain, and list the identifiers that will be used to retrieve information on the individual.

N/A.

7. Has a Privacy Act System of Records Notice (SORN) been published in the Federal Register?

No.

a. If Yes, provide name of SORN and location in the Federal Register.

N/A.

8. If the information system is being modified, will the SORN(s) require amendment or revision?

No.

9. Will this system provide the capability to identify, locate, and monitor (e.g., track, observe) individuals?

No.

a. If yes, explain.

N/A.

(1) What controls will be used to prevent unauthorized monitoring?

N/A.

10. List the report(s) that will be produced from this system.

Reporting capabilities are heavily dependent on the specific third-party social media services/sites being used. Reports are potentially viewable on-line by the OPA moderators and OCIO administrators only. These reports can be exported to downloadable files. The data in these reports may include statistical information about the activities performed on the site, blog comments, and other voluntary information provided by the visitor (their e-mail address or name).

a. What are the reports used for?

To provide administrative and performance metrics on the site activity or postings submitted by visitors of the third-party social media service/site,

PIA Template (07-2022) 11 including a data export of all comments (if applicable, see Appendix A) or postings for record requirements.

b. Who has access to these reports?

Only limited OPA moderators and OCIO administrators will have access to these reports.

D. ACCESS TO DATA

1. Which NRC office(s) will have access to the data in the system?

OPA moderator(s) will be able to review, monitor, approve and remove all posted content, which will be publicly available information on the social media service/site. OCIO administrators will be able to view all information collected on-line, as well. All NRC employees will be able to see the posted information and comment on it (if applicable, see Appendix A).

(1) For what purpose?

OPA moderator(s) will review submitted content prior to publishing it on the social media service. The OCIO administrator(s) will access the information to support OPA's business activities and adjust the look and feel of the site (as directed by OPA).

(2) Will access be limited?

Administrator/moderator access will be limited to OPA and designated OCIO personnel. Content that is posted to these sites will be publicly available on the Internet. OPA moderator(s) and OCIO administrator(s) will administer the agency's accounts.

2. Will other NRC systems share data with or have access to the data in the system?

Yes.

(1) If yes, identify the system(s).

In most cases, information (e.g., comments (if applicable, see Appendix A), ideas, questions, etc.) is accessible directly from a web browser.

(2) How will the data be transmitted or disclosed?

When the OPA/OCIO Administrator or Moderator is logged in, their information will be transmitted to the browsers securely and encrypted over a Hypertext Transfer Protocol Secure (HTTPS) protocol.

3. Will external agencies/organizations/public have access to the data in the system?

Yes.

PIA Template (07-2022) 12 (1) If yes, who?

The NRC does not own or control social media websites and applications, and accesses them only as a user. The public will have access to content posted and published by NRC staff to the third-party social media website/service. In addition, the public will have access to submit comments or questions about the posted content using the comment capabilities provided by the third party social public media service/site (if applicable, see Appendix A).

(2) Will access be limited?

Information managed by NRC administrators and moderators will be restricted to designated NRC personnel. Passwords for accounts will be controlled by the NRCs OPA and will ensure that only authorized individuals have access to the accounts. The OPA must set-up an official account that clearly establishes the account is managed by NRC.

(3) What data will be accessible and for what purpose/use?

Public communication such as informational posts on topics of relative interest to NRC business activities, photos, videos, etc. will be made available by OPA (or approved subject matter experts) to increase outreach and inform the public and stakeholders. OPA will work with NRC program offices to identify topics of interest for creating public posts. This information is similar in nature to information found on the NRC public web site. Use of third-party social media service/sites will enable the NRC to reach wider audiences and (for specific social media sites) with information on topics of public interest.

(4) How will the data be transmitted or disclosed?

When the OPA/OCIO Administrator or Moderator is logged in, their information will be transmitted to the browsers securely and encrypted over a Hypertext Transfer Protocol Secure (HTTPS) protocol.

E. RECORDS AND INFORMATION MANAGEMENT (RIM) - RETENTION AND DISPOSAL

The National Archives and Records Administration (NARA), in collaboration with federal agencies, approves whether records are temporary (eligible at some point for destruction/deletion because they no longer have business value) or permanent (eligible at some point to be transferred to the National Archives because of historical or evidential significance). These determinations are made through records retention schedules and NARA statutes (44 United States Code (U.S.C.), 36 Code of Federation Regulations (CFR)). Under 36 CFR 1234.10, agencies are required to establish procedures for addressing records management requirements, including recordkeeping requirements and disposition, before approving new electronic information systems or enhancements to existing systems. The following question is intended to determine whether the records and data/information in the system have approved records retention schedule and disposition instructions, whether the system incorporates Records and Information Management and NARAs Universal Electronic Records Management requirements, and if a strategy is needed to ensure compliance.

PIA Template (07-2022) 13

1) Can you map this system to an applicable retention schedule in NRCs Comprehensive Records Disposition Schedule (NUREG-0910), or NARAs General Records Schedules (GRS)?

No. This information collection will need to be scheduled appropriately.

Additional information/data/records from Social Media platforms kept in ADAMS will need to be scheduled; therefore, NRC records personnel will need to work with staff to develop a records retention and disposition schedule for records created or maintained. Until the approval of such schedule, these records and information are Permanent. Their willful disposal or concealment (and related offenses) is punishable by fine or imprisonment, according to 18 U.S.C., Chapter 101, and Section 2071. Implementation of retention schedules is mandatory under 44 U.S. 3303a (d), and although this does not prevent further development of the project, retention functionality or a manual process must be incorporated to meet this requirement.

IRMG 2019 Creating and Managing Social Media Records on NRC-sponsored Social Media Websites (ML20009D327).

GRS 6.4 covers Public Affairs Records (https://www.archives.gov/files/records-mgmt/grs/grs06-4-sch-guide.pdf); however, many exclusions apply.

NARA Bulletin 2014-02, Guidance on managing social media records, provides high-level requirements to consider when scheduling these records (https://www.archives.gov/records-mgmt/bulletins/2014/2014-02.html).

a. If yes, please cite the schedule number, approved disposition, and describe how this is accomplished (then move to F.1).

For example, will the records or a composite thereof be deleted once they reach their approved retention or exported to an approved file format for transfer to the National Archives based on their approved disposition?

N/A.

b. If no, please contact the RIM staff at ITIMPolicy.Resource@nrc.gov.

N/A.

F. TECHNICAL ACCESS AND SECURITY

1. Describe the security controls used to limit access to the system (e.g., passwords).

Each third-party social media service/site used to create an NRC official presence will provide capabilities to create administrator and/or moderator accounts to allow NRC staff in OPA, and designated staff in NRC offices, to manage site content and respond to public comments (if applicable, see Appendix A). Login and privileged activity will be conducted over secure sessions using HTTPS. Management Directive MD 5.5: Public Affairs Program describes

PIA Template (07-2022) 14 relevant security requirements for NRC staff that will create and manage NRC official accounts.

OPA moderators and OCIO administrators can only perform their assigned functions after access authentication with their login ID and password credentials. Viewing of public information posted will not require access authentication.

Contractors may provide support for the NRCs use of social media websites and applications. Contractor access will be authorized based on the roles and responsibilities required by the contract.

2. What controls will prevent the misuse (e.g., unauthorized browsing) of system data by those having access?

Information posted on these third-party social media services/sites is considered to be public by its very nature. Also, access to public information is not limited by the NRC or the third-party social media service/site. Administrator/moderator information is protected by the social media site by requiring administrators and moderators to securely login using encrypted sessions (HTTPS) to access and administer the NRC's official presence on site.

3. Are the criteria, procedures, controls, and responsibilities regarding access to the system documented?

Yes.

(1) If yes, where?

OPA, in collaboration with OCIO, will document administration and moderation procedures, controls and responsibilities.

Management Directive MD 5.5: Public Affairs Program, issued April 26, 2018 (ADAMS accession #ML18067A521), outlines who may or may not sign up to create an NRC official presence or account on a third-party social media service/site.

4. Will the system be accessed or operated at more than one location (site)?

Yes.

a. If yes, how will consistent use be maintained at all sites?

The social media site/application is designed to be accessed by anyone from anywhere. Information content managed by the third-party social media service consists of non-sensitive public information.

Designated OPA representatives (which may include authorized contractors) may contribute to and post information. These individuals are located at NRC Headquarters. Information will be managed using the capabilities provided by the third-party social media service/site.

PIA Template (07-2022) 15

5. Which user groups (e.g., system administrators, project managers, etc.)

have access to the system?

OPA moderators and designated NRC staff will have access to all public comments that are posted to the NRC official presence social media sites.

OCIO administrators will support the needs of OPA and have administrator rights for the specific social media site to support changes to the look and feel of the site, manage moderator accounts, as well as other administrator activities as needed and directed by OPA.

In addition, employees of third-party social media websites and services designated as Administrators have access to their own systems. These Administrators typically use this access to assist with technical issues. The ability of employees of third-party sites to access client information is managed by the respective company's terms of service or privacy policy.

6. Will a record of their access to the system be captured?

This is dependent on the specific social media site.

a. If yes, what will be collected?

Third party social media services/sites will normally capture the following information:

A record of site visitor comments (if applicable, see Appendix A) submitted with a date/time Administrator activity.

Moderator activity.

7. Will contractors be involved with the design, development, or maintenance of the system?

Yes, but we do not collect information about individuals, therefore; contract clauses are not applicable.

If yes, and if this system will maintain information about individuals, ensure Privacy Act and/or PII contract clauses are inserted in their contracts.

FAR clause 52.224-1 and FAR clause 52.224-2 should be referenced in all contracts, when the design, development, or operation of a system of records on individuals is required to accomplish an agency function

PII clause, Contractor Responsibility for Protecting Personally Identifiable Information (June 2009), in all contracts, purchase orders, and orders against other agency contracts and interagency agreements that involve contractor access to NRC owned or controlled PII.

PIA Template (07-2022) 16

8. What auditing measures and technical safeguards are in place to prevent misuse of data?

The content and dialogue posted on the social media service will be in the public domain. Information that is misstated or misused should be reported to OPA, who will follow up with the NRC program offices, as appropriate. Most third-party social media services/sites provide auditing capabilities for content that is published and comments that are posted by visitors (if applicable, see Appendix A).

Content information to be maintained by the NRC will be added to ADAMS, which has technical safeguards in place to prevent misuse of data.

9. Is the data secured in accordance with the Federal Information Security Management Act (FISMA) requirements?

There are two places where the information will be maintained.

Third party social media services/sites. These are not controlled by the NRC. Security controls are implemented by these providers, and some have third party certifications. Whenever possible, to meet business requirements, the NRC will leverage third party social media services that are sponsored by the General Services Administration (GSA). GSA is also in the process of standing up a secure cloud service for selected third party social media services. NRC will leverage available services through GSA in order to take advantage of GSA provided terms of service and enhanced security features.

ADAMS. This system is operated in accordance with FISMA requirements.

Content that is to be published in the public internet domain will be reviewed by the information owner and/or OPA to ensure it is suitable and appropriate for public consumption. This will be analogous to what occurs for publishing information to the NRC public website and public ADAMS. Visitors will be referred to a comment policy on the NRC website that indicates they should submit comments that conform to ethical standards and should be suitable for general public consumption (if applicable, see Appendix A). OPA at their discretion, as moderators, may choose not to publish comments or remove those that do not meet comment policy standards (Facebook).

OPA administrators and moderators, as well as other designated NRC staff moderators, will adhere to standard security rules for establishing account logins and profiles. This information is included in Management Directive MD 5.5: Public Affairs Program.

Social media websites and applications are external, and third party hosted.

Therefore, no internal system security plan is currently required. Users should also consult the website security policies of social media websites and applications they subscribe to for more information as they apply.

PIA Template (07-2022) 17

a. If yes, when was Assessment and Authorization last completed?

And what FISMA system is this part of?

Yes, Authority to Use was recertified via email from NRC CIO David Nelson on September 29, 2017 (ML17286A073). Intent to post public information to Instagram was acknowledged via email by CISO copying OCIO on August 23, 2022 (ML22237A248).

Contact:

Natalya Bobryakova, OCIO IT Specialist: (301) 287-0671.

b. If no, is the Assessment and Authorization in progress and what is the expected completion date? And what FISMA system is this planned to be a part of?

N/A.

c. If no, please note that the authorization status must be reported to the Chief Information Security Officer (CISO) and Computer Security Offices (CSOs) Point of Contact (POC) via e-mail quarterly to ensure the authorization remains on track.

N/A.

PIA Template (07-2022) 18 Appendix A

Social media interactions and applications covered by this privacy impact assessment include:

Blogging Tool - GSAs WordPress Micro-blogging Tool, such as Twitter.com (via GSA)

Video Channel, such as YouTube.com (via GSA)

Photo Gallery, such as Flickr.com (via GSA)

Social Networking, such as Facebook (via GSA)

Social Networking, such as Instagram (via GSA)

Future areas will be added as the need for additional NRC official presence sites are further established. To support the expansion of the Open Governance capabilities, to increase collaboration, transparency, and participation in the NRC regulatory activities, it is expected that multiple solutions will be leveraged by the NRC. This envisioned approach is consistent with the desire to increase NRC's communication channels in support of various business and Open Government needs.

Purpose Blogging Tool Site WordPress.com (via GSA)

Privacy Policy https://automattic.com/privacy/

Registration requirements Account profile information (name, title, and other information (required for NRC adequate to represent the NRC authorized representatives to administrator and the public) moderator managing the Username - for account NRC public blogs) Password - for account E-mail Address - NRC email address of the NRC representative Other Information WordPress will be used by OPA or a designated office representative to publish content that is publicly available or conduct close-ended discussions on topics of interest for the purpose of informing the public. Visitors will have the option to post comments on published content and optionally provide their name and email address as part of the dialogue. This information will not be solicited by the NRC. Visitors may also choose to submit comments anonymously. A comment policy will be posted and available to visitors to establish expectations and guidelines on comments submitted and their use by the NRC.

WordPress uses cookies to help identify and track visitors, their usage of the website, and their website access preferences.

WordPress visitors have the option to refuse cookies before using WordPress, with the drawback that certain features of WordPress may not function properly. WordPress will not share cookie information with the NRC and NRC will not solicit this information.

Visitors Visitors may post a comment anonymously or voluntarily provide their name (or alias) and an email address. Names and email addresses are often provided by these services to establish a conversation on the web between the NRC blogger and public site visitors.

Purpose Video Channel PIA Template (07-2022) 19 Site YouTube.com (via GSA)

Privacy Policy https://policies.google.com/privacy?hl=en Registration E-mail Address - NRC email address of the NRC Requirements representative (required for NRC Username - Publicly-displayed username for the account.

administrator and Password - for account moderator managing Location (Country) - for account the NRC Video Postal Code - for account Channel)

Other Information YouTube will be used by OPA or a designated office representative to publish videos that are publicly available on topics for the purpose of informing and educating the public.

Visitors will NOT have the option to post comments about the videos. YouTube registration requires an email address and password. This information will not be collected by NRC.

Visitors For some activities on YouTube, like posting comments, flagging videos, or watching restricted videos, visitors will need to establish a YouTube or Google Account. Some personal information is required to create an account, including an email address and a password. This information is used to protect the visitors' account from unauthorized access. No account information is needed for viewing videos. No account information is collected by the NRC.

Purpose Micro-blogging Tool Site Twitter.com Privacy Policy https://twitter.com/en/privacy Registration Account profile information (name, title, and other information Requirements adequate to represent the NRC authorized representatives to (required for NRC the public) administrator and Username - for account moderator managing Password - for account the NRC Twitter feed) E-mail Address - NRC email address of the NRC representative Other Information Twitter will be used by OPA or a designated office representative to publish snippets of content for the purpose of providing information to the public. Visitors will have the option to flag as favorite, retweet, or reply in response to the agency's twitter posts. In order to retweet or reply, visitors will be asked to register on the Twitter site. Registration requires the user to enter their name, email address, username, and password. This information will not be collected by NRC. A policy will be posted and made available to visitors to establish expectations on replies submitted and their use by the NRC.

Visitors In order to retweet or reply to the tweets posted by OPA or NRC authorized representatives, visitors must sign up for a Twitter account. Along with any comments/tweets posted on the site, Twitter publishes the individual's name and username.

Purpose Photo Gallery Site Flickr.com (via GSA)

Privacy Policy https://www.flickr.com/help/privacy

PIA Template (07-2022) 20 Registration Account profile information (name (first and last), gender, Requirements birthday, country, postal code)

(required for NRC Username - for account administrator and Password - for account moderator managing E-mail Address - NRC email address of the NRC the NRC Photo representative Gallery)

Other Information Flickr will be used by OPA or a designated office representative to publish photos in order to raise awareness of the agency's current activities, enhance information about existing collections of visual content such as historic photos, and allow the public to easily browse, view, and download content. Visitors will NOT have the option to post comments. Other content may be viewable to the public at large. Flickr registration requires an email address and password. This information will not be collected by NRC.

Visitors Visitors may view photos or content on Flickr without having an account. However, in order to add a photo to a user's "Favorites",

they must have a Flickr account. Some personal information is required to create an account, including an email address and a password. This information is used to protect the visitors' account from unauthorized access. No account information will be collected by NRC.

Purpose Social Networking Tool Site Facebook.com (via GSA)

Privacy Policy https://www.facebook.com/privacy/policy/

Registration Account profile information (name, title, and other information Requirements adequate to represent the NRC authorized representatives to (required for NRC the public) administrator and Username - for account moderator managing Password - for account the NRC public blogs) E-mail Address - NRC email address of the NRC representative Other Information Facebook will be used by OPA to publish content that is publicly available on topics of interest for the purpose of informing the public. Visitors will have the option to post comments on published content. This information will not be solicited by the NRC. A comment policy will be posted and available to visitors to establish expectations and guidelines on comments submitted and their use by the NRC.

Facebook uses cookies to enable features, provide personalized experience, protect security of accounts, improve, deliver, and understand advertisements on Facebook, and to research the use of products and services. Facebook visitors have the option to refuse cookies before using Facebook, with the drawback that certain features of Facebook may not function properly.

Facebook will not share cookie information with the NRC and NRC will not solicit this information.

PIA Template (07-2022) 21 Visitors Visitors, by virtue of creating an account with Facebook, have provided information including names, email addresses, birthdays and gender some of which is always publicly available according to Facebook policy. However, the NRC will not solicit personally identifiable information from visitors.

Purpose Social Networking Tool Site Instagram.com (via GSA)

Privacy Policy https://privacycenter.instagram.com/policy/

Registration Account profile information (name, title, and other Requirements information adequate to represent the NRC authorized (required for NRC representatives to the public) administrator and Username - for account moderator managing Password - for account the NRC public blogs) E-mail Address - NRC email address of the NRC representative Other Information Instagram will be used by OPA to publish content that is publicly available on topics of interest for the purpose of informing the public. Visitors will have the option to post comments on published content. This information will not be solicited by the NRC. A comment policy will be posted and available to visitors to establish expectations and guidelines on comments submitted and their use by the NRC.

Instagram uses cookies to enable features, provide personalized experience, protect security of accounts, improve, deliver, and understand advertisements on Instagram, and to research the use of products and services. Instagram visitors have the option to refuse cookies before using Instagram, with the drawback that certain features of Instagram may not function properly.

Instagram will not share cookie information with the NRC and NRC will not solicit this information.

Visitors Visitors, by virtue of creating an account with Instagram, have provided information including names, email addresses, birthdays and gender some of which is always publicly available according to Instagram policy. However, the NRC will not solicit personally identifiable information from visitors.

PIA Template (07-2022) 22 PIA Template (07-2022) 23PRIVACY IMPACT ASSESSMENT REVIEW/APPROVAL (For Use by OCIO/GEMSD/CSB Staff)

System Name: Official Presence Use of Social Media Platforms Submitting Office: Office of Public Affairs A. PRIVACY ACT APPLICABILITY REVIEW X Privacy Act is not applicable.

Privacy Act is applicable.

Comments:

The social media websites and applications covered by this privacy impact assessment (PIA) may require users to submit some personally identifiable information (PII) during the registration process when an account is required by the third-party social media service. As a result, PII may transit and be displayed during the sign-up/log-on transaction and subsequent interactions. The NRC will not solicit or collect this PII.

When NRC uses the social media websites and applications listed in Appendix A, NRC will not: 1) actively seek PII, and may only use the minimum amount of PII, which it receives, to accomplish a purpose required by statute, executive order, or regulation (all other PII received will be managed in accordance with the requirements and analytical understanding outlined in this PIA); 2) search social media websites or applications for or by PII; and 3)friend public users proactively.

When NRC uses the social media websites and applications listed in Appendix A, NRC may: 1) establish usernames and passwords to form profiles, so long as they are easily identifiable as NRC accounts; and

2) interact on social media websites or applications on official NRC business.

As a requirement of this PIA, PII may not be retrieved by personal identifier, thus, a Privacy Act System of Records Notice is not required.

Unless otherwise directed by statute, executive order, or regulation the NRCs Office of Public Affairs (OPA) will serve as the primary account holder for all NRC official presence social media websites and applications and will manage and approve all NRC content posted on these public-facing networks. All content disseminated through official NRC accounts must be approved by OPA (or, by agreement with OPA, by authorized NRC employees in each office) prior to posting. OPA (or authorized NRC employees) will ensure that all posted content falls within the appropriate requirements for publicly available information and materials. OPA will, when necessary, act as the final authority on what content is acceptable for posting.

If NRC posts a link that leads to a social media application or website, the NRC will provide an alert to the visitor, such as a statement adjacent to the link or a pop-up, explaining that visitors are being directed to a nongovernment website that may have different privacy policies from those of the NRCs official website.

If NRC has an operational need to use social media interactions or applications that are outside the scope of the requirements and analytical understanding outlined in this PIA, a separate PIA must be written to address the specific privacy concerns that may be unique to that initiative.

Reviewers Name Title Privacy Officer Signed by Hardy, Sally on 09/21/22

PIA Template (07-2022) 24B. INFORMATION COLLECTION APPLICABILITY DETERMINATION X No OMB clearance is needed.

OMB clearance is needed.

Currently has OMB Clearance. Clearance No.

Comments:

Guidance in OMBs memorandum on Social media, Web-Based Interactive Technologies, and the Paperwork Reduction Act, (April 7, 2010) states that items collected by third party websites or platforms that are not collecting information on behalf of the Federal Government are not subject to the PRA..

Reviewers Name Title Agency Clearance Officer C. RECORDS RETENTION AND DISPOSAL SCHEDULE DETERMINATION No record schedule required.

X Additional information is needed to complete assessment.

X Needs to be scheduled.

Existing records retention and disposition schedule covers the system - no modifications needed.

Comments:

Reviewers Name Title Sr. Program Analyst, Electronic Records Manager Signed by Cullison, David on 09/12/22 Signed by Dove, Marna on 09/21/22

PIA Template (07-2022) 25D. BRANCH CHIEF REVIEW AND CONCURRENCE X This IT system does not collect, maintain, or disseminate information in identifiable form from or about members of the public.

This IT system does collect, maintain, or disseminate information in identifiable form from or about members of the public.

I concur in the Privacy Act, Information Collections, and Records Management reviews:

Acting Chief Cyber Security Branch Governance and Enterprise Management Services Division Office of the Chief Information Officer Signed by Partlow, Benjamin on 09/29/22

PIA Template (07-2022) 26TRANSMITTAL OF PRIVACY IMPACT ASSESSMENT/

PRIVACY IMPACT ASSESSMENT REVIEW RESULTS TO: Stephanie West, Office of Public Affairs Name of System: Official Presence Use of Social Media Platforms Date CSB received PIA for review:

August 1, 2022Date CSB completed PIA review:

September 21, 2022 Noted Issues:

Based on the social media interactions and applications, no PII will be solicited or Collected, Privacy Act System of Records Notice is not required.

Need to ensure public website is updated to reflect the addition of Instagram.

Acting Chief Cyber Security Branch Governance and Enterprise Management Services Division Office of the Chief Information OfficerSignature/Date:

ture:

Copies of this PIA will be provided to:

Thomas G. Ashley, Jr.

Director IT Services Development and Operations Division Office of the Chief Information Officer Garo Nalabandian Acting Chief Information Security Officer (CISO)

Office of the Chief Information Officer Signed by Partlow, Benjamin on 09/29/22

Retrieved from "https://kanterella.com/w/index.php?title=ML22249A062&oldid=3721753"